As host based network defenses get stronger, malware writers are adapting by becoming stealthier. Stealth techniques can hide many aspects of a malware infection on a system from the user, from the operating system, and from host based security software. Malware can run in environments outside of the operating system, including the BIOS or on devices such as a graphic or network card. Hardware implants, such as the type used for espionage, also allow attackers to circumvent any host based security. These types of infections cannot be detected with any tool running on the compromised machine. Therefore, in order to identify advanced infections one must look at the activity outside of the machine itself. One of the best places to look for advanced infections is network communications because almost all malware requires network access to perform functions such as receiving additional instructions, transferring stolen information or infecting additional machines.
While stealth is an effective method, it produces an identifiable anomaly if the malware has to communicate on the network, i.e. network traffic that the host system is not aware of. In a normal computer environment, the only network traffic that is generated should come from within the operating system itself and flow through the legitimate network channels the operating system provides. Because malware can circumvent these legitimate network channels, it is able to send and receive network traffic without higher level software recognizing that communications are occurring. However, this stealth network traffic is still visible to the network hardware that handles it. Because it looks like legitimate network traffic, many network security devices are not able to determine that the traffic came from a malicious source without looking into the packet payload to find signatures of known malware behavior. This method of detection is unable to find unknown malware, and is computationally intensive because it requires comparing data snippets from both legitimate and malicious sources with a large database of known malware signatures. With the proposed method, the mere existence of a packet that has not been seen by the accepted data pathways is indication enough of a possible malicious compromise.
A similar method is disclosed in U.S. Pat. No. 8,079,030 to Satish et al. which claimed a method of identifying stealth network traffic using a hypervisor to monitor a virtual machine wherein the hypervisor monitors data flowing out of the virtual guest machine and determines if the hypervisor data matches the virtual guest machine data. If they do not match, then a stealth technique was used to communicate over the network. There are at least two problems with this implementation; First, a hypervisor is a piece of software that runs on the hardware of a single machine, and provides a layer of abstraction and virtual hardware to Operating Systems (OSs) that run on it. This means that the scope of the hypervisor's ability to monitor network communications is limited to a single physical machine. A hypervisor cannot monitor an entire network of independent physical machines. Second, a hypervisor runs on the same physical machine that may be infected with malware. This makes the hypervisor susceptible to the same type of tactics the malware uses against the OS. There is no guarantee that the malware 202 is not fooling the hypervisor or simply running outside what is able to be monitored, so the network traffic captured by the hypervisor may not actually represent all network traffic to and from the physical machine. The method proposed in the present invention is scalable to practically any size network and practically guarantees that stealth network traffic will be detected on the network. These and other features and advantages of the present invention will be explained and will become obvious to one skilled in the art through the summary of the invention that follows.